Funding, Testing Shortfalls Threaten Compliance

A new survey from the Security Compliance Council finds that many businesses are failing to spend enough time or money to ensure that they can make the grade with auditors.

New research published by the Security Compliance Council contends that very few companies are succeeding in their initial efforts to meet the demands of government IT regulations.

According to the report, which is based on interviews conducted with 671 executives working in IT, finance and legal positions at companies located around the globe, only 11 percent of all the firms involved in the survey were considered to be passing muster in their compliance-oriented efforts.

Those firms harbored fewer than two problems that could cause them to fail inspection from compliance auditors, SCC said.

Most companies, or 69 percent of those participating in the study, were found to have between three and 15 specific compliance shortcomings, while 20 percent of those interviewed evidenced more than 15 problems, according to the industry group, which is backed by the Computer Security Institute, the Institute of Internal Auditors and Symantec.

The most frequent types of compliance issues reported in the study were problems with IT systems configuration and change management, insufficient audit logging and security monitoring, and ineffective end user and applications controls.

Other common problems involve improper handling of documentation, poor IT security policies and inadequate PC and laptop access controls.

Researchers said that it was not hard to identify the internal procedures being used at the few companies that are having the most success with their efforts, as those firms spent the most money addressing the problem and also conducted the highest percentage of in-house audits.

Firms who said that they complete internal compliance tests on a monthly schedule fared far better than those doing so on a less regular basis, said Jim Hurley, director of research at security software maker Symantec.

"There are a lot of businesses with very immature technology controls, and the management of data knowledge is another telling pint, laggards simply aren't collecting the right data," said Hurley.

"If you look at the IT budgets of the companies who are not doing well, they are very low and the spend on security is low; these are firms often looking to do the bare minimum of what they believe they need to do to comply."

Of the 20 percent of companies with the most compliance-related issues, most have "no hope" to passing muster over regulations such as the U.S. government's Sarbanes-Oxley Act or HIPAA (the Health Insurance Portability and Accountability Act), according to Hurley.

The report said that in addition to performing internal audits at least once a month, companies succeeding in their compliance efforts dedicate at least five IT workers' days per month purely to managing regulatory issues, and spend more than 10 percent of their overall IT budgets on security.